Most of the items are old news but I think it is a good checklist that should be on the boiler plate for web application design documents. By putting security requirements in the software specification and design documents, the project manager can then allocate time and resources to security aspects of development. In addition, it reminds developers to ask themselves if the software is meeting those requirements throughout the development process. This is opposed to thinking about security after the entire application has been written and discovering a fundamental design flaw that will require re-writing a good portion of the application.

I particularly appreciate that each item on the CWE/SANS list is weighted including weakness prevalence, remediation cost, attack frequency, attacker awareness, etc. No project has an unlimited budget but you can prioritize on where to focus your resources to achieve the most secure solution. Generally it is a good idea to ensure that the cost of defeating an application’s security far outweighs any benefits to be gained from doing so. The cost of defeating an application might include labor time, computing resources, fines, and threat of jail time with a cell mate named Bubba, etc.

It is quite a challenge to develop secure web applications because generally by their nature they need to accept user input. I believe that it is typically much more difficult develop a secure system than it is to break in to the system given the same number of hours so there is often more burden on the developer. It might take only two or three days to develop a working database driven web application but many additional weeks to harden it against attacks and make it reliable, scalable, and highly available. Including security requirements in the software specification and design is essential to planning and allocating resources.

Ideally automated tests should be included to continuously test vulnerabilities throughout the life of an application. This way security vulnerabilities introduced by code changes will be detected early in the development process instead of later in production. Automated tests could attempt buffer overflows, sql injections, etc. and could be executed prior to a developer’s check-in or on a nightly cron job that automatically checks out the code and runs the tests against it. Although costly to implement initially, automated security testing will likely pay for itself many times over the course of an application’s life. I plan to talk more about automated testing in future posts.

• Lego Imperial Star Destroyer – Star Wars Set 6211. My awesome wife got this for me. Many of the folks I work with at BlueTie have proudly decorated their cubicles with Legos and I am clearly behind in the Legos arms race. It is time to play catch up. I plan to post a build log on my photo blog site.
• Herbie the Mousebot Kit from the Make Magazine store, Maker SHED. It is a light seeking robot kit with just a PC board and some parts (soldering iron not included). The interesting thing about this kit is that it uses a simple LM386 audio amplifier IC as the “logic controller” instead of a PLC or micro-controller.
• Smart and Gets Things Done: Joel Spolsky’s Concise Guide to Finding the Best Technical Talent by Joel Spolsky. I previously have read Joel on Software (the book with the really long title/not the blog) and was interested in Joel’s take on hiring developers. Both books are mostly a rehash of content Joel has posted on his blog but in a convenient book format that can easily be read at my in-laws house over the holidays. It is a quick read and I finished it last weekend. I will post a review in a bit.
• Linux Application Development (paperback) (2nd Edition). Although I don’t have any allegiances to a particular platform, most of my recent development at work has been on Linux so I want to become more familiar with Linux system development.
• Java Phrasebook (Developer’s Library). I already have PHP Phrasebook (Developer’s Library) and found it pretty handy and now I have the Java version. Just a heads up though… it doesn’t have much Selvlet, JSP, or EJB stuff. All the examples can be done using J2SE.
• The Elements of Photography: Understanding and Creating Sophisticated Images. I have a photo blog in addition to this one and I am always looking for ways to improve my photography process beyond simple simple snap shots.

I also received some gift cards:

• Amazon.com Gift Card
• Barnes and Noble

I bought a little something for myself. My soldering irons are getting a bit old and I wanted a nice solder station to build my Mousebot with:

• Weller WLC100 Soldering Station For Hobbyist And Diyer